The text for the next part of the interview is not ready yet. I’ve just released this second part (now in the front page of Slashdot), but I need to do some fact-checking on SELinux (NSA-developed) before releasing the next part. Busy times since the NSA leaks…

Summary: The second part of this interview series focuses on back doors in software

TODAY we speak about back doors and software freedom tackling this issue. Now that we know that [cref 69563 the NSA receives notifications about zero-day flaws in Windows (long in advance, directly from Microsoft)], which enables cracking PCs abroad, this is very relevant.

This is the second of several and the transcript follows.

Dr. Roy S. Schestowitz: I want to try and discuss with you this whole subject of back doors. I think in the past — I know from experience — people were trying to call people like yourself “paranoid” for discussing or even entertaining the possibility that there may be back doors in proprietary software. Well, now we know that they exist. One of the things…

Dr. Richard M. Stallman: We know for a long time about specific back doors in specific proprietary software. It has been documented. For instance, the existence of a universal back door in Microsoft Windows was proved years ago. And the existence of a universal back door in most portable phones was proved years ago. Now, a universal back door means that they can be used to do absolutely anything. It can be used to change the software, so whatever they want to do, they could put in software which does it.

RSS: We can make an educated guess about what they think is intercepted and how, but I think that many discussions lack technical details on exactly how the NSA is doing what it does because Glenn Greenwald is not going to release the documents related to that. But some people were talking about hardware-level — even firewall- of network-level — back doors. We may know, based on the leaks for example of Klein in AT&T, they might be harvesting the data at the chokepoints.

RMS: Well, it’s not a back door. If AT&T agreed to connect its computers to surveillance of the NSA, that doesn’t involve a back door. Those computers belong to AT&T, so if AT&T has full control over them, which it should, then AT&T could also connect to the NSA. You see, these are somewhat different issues. The first issue, which Free software is part of, is that you should have control over your computer. Now, that’s violated with proprietary software if your computer is running, say, Windows, or Mac OS, or if it’s an iThing, or most kinds of Android products, then you don’t control it, some company is controlling it and making it do things that you’ll like. So the first thing is, [incomprehensible] says that the computer should have full control over it.

But that doesn’t mean that when you’re using some company’s service, if a company has full control over the computers that implement that service, which it should, that doesn’t mean the company will treat you right. That’s a separate issue. It’s wrong for [another] company to have control over these computers and if AT&T uses proprietary software, it [that other company] fully has control over AT&T’s computers and that’s wrong. However, making sure AT&T has complete control over its computers doesn’t guarantee that AT&T will treat us right.

RSS: I was thinking about a different scenario where the company that you interact with might itself backdoored in the sense that the firewalls, they might be using older hardware and might be using — maybe — back door by design, so that the NSA, for example, can quietly and silently infiltrate and capture data, for example, [from] firewalls or Intel chips for example.

RMS: It’s possible, and not just necessarily Intel chips because the Pentagon suspects that devices made by Huawei might have some back door of the Chinese government…

RSS: And the latest NDAA is actually explicitly forbidding the use of hardware made in China. That’s from the NDAA 2014. But not many speak about why this is happening, why they modified the rules. Recently, interestingly enough, a guy who was interacting with these companies — I’m not sure if you’ve heard about Shane Todd — the guy who lived in Singapore was assassinated apparently under the — basically, the guise of suicide — and there seems to be a lot of suspicion among those two camps of telecom companies and what they might be doing at the back room.

RMS: Well, it’s perfectly reasonable suspicion to me. I don’t think the US government should use operating systems made in China for the same reason that most governments shouldn’t use operating systems made in the US and in fact we just got proof since Microsoft is now known to be telling the NSA about bugs in Windows before it fixes them.

RSS: I was just going to bring this up exactly, so I was saying that the NSA recently received notifications about the zero-day holes in advance and [incomprehensible] the NSA and the CIA to just crack PCs abroad for espionage purposes.

RMS: Now, [incomprehensible] that this proves my point, which is that you have to be nuts if you were some other country and using Windows on your computers. But, you know, given that Windows has a universal back door in it, Microsoft would hardly need to tell the NSA about any bugs, it can tell the NSA about the mal-feature of the universal back door and that would be enough for the NSA to attack any computer running Windows, which unfortunately is a large fraction of them.

TODAY we officially begin a series of interviews with Dr. Richard Stallman, as [cref 69689 promised last week]. Stallman was proven to be right on the issues of privacy and freedom as more information was being shown for everyone to see how surveillance is used to control users’ behaviour and distort/impede communications in some cases. As more evidence came to light, showing in concrete form what a lot of people already knew but could not always prove, there was a lot to be discussed not hypothetically but realistically.

This is the first part of many and the transcript follows (some parts were too incomprehensible due to low recording quality, so we duly apologise for inaccuracies).

Dr. Roy S. Schestowitz: As I said before, I think the plan was mostly to focus on things that we hadn’t touched before and primarily things to do with privacy. I think we were — and many people were — advocating for freedom in technology were proven to be correct in the sense that on the issue of privacy and freedom everything seems to be very symbiotic and I think in recent weeks we found that more and more people have woken up to the fact that they need to assure they can control their software.

Dr. Richard M. Stallman: It’s not just about what happens in your computer. With Free software you control what happens in your computer, but of course there are other systems of snooping. The NSA is setting up snooping that we have been reading about recently. They don’t work through software in your computer. So, what this shows is, a) they have {users must have} control over the software in your computer; b) we need to work politically to make sure that the software that’s not in our computer — the systems that are not ours — are nonetheless not being used to snoop on us.

RSS: I think information is increasingly being used to change behaviour in people and also to distort the ways of communication between entities and I think that routers, for example, play a role in the way in which we interact with computers, so I wonder what your take is on the [snooping] in routers, many of them [are] Cisco ones.

RMS: Ed Snowden, I think, said that the NSA takes control of routers in order to monitor Internet traffic in other countries.

RSS: It is actually proven to be the case and any interested person who researched this subject before would know that Cisco was working with the Chinese government to enable things like sending E-mail port back to communication and such things, so we do know that there is a degree of collusion between them. I think we’ll touch on this later when we’re just thinking the possibility of back doors. But I think it’s more evident now that it comes to light, showing in concrete terms what we already know was probably happening all these years.

RMS: There are many routers you can get that you can then install free software into. So if we are talking about your router, then yeah, you should put Free software into it. But when you talk to other [incomprehensible] it’s critical to ask first if they are not yours. And some of them will belong to companies that might very well be collaborating with surveillance. And Free software is not going to fix that problem, because if that company which [incomprehensible] for its switch/routers was to collaborate with the NSA, it is going to collaborate with the NSA or the Chinese government or whatever. So, Free software means you can control over the software or what your computer is doing or your computers are doing, but it doesn’t necessarily mean that the other organisations you deal with are going to respect your privacy.

RSS: Unless of course we use encryption, for example.

RMS: Yes. Of course encryption in itself doesn’t disguise who we are talking to and it’s been played out that if the government knows who knows who, then it is a tremendous start on breaking any dissident movement.

MAGINE a company stupid enough to follow the trajectory of MySpace and the now-deceasedDigg.comby its very own choice. Enter Twitter.

Twitter was a rapidly-growing site back in the days. It was getting links everywhere, just like Digg had gotten a lot of buttons and links. But then came the OAuth ‘revolution’ and Twitter shot many applications (digital vehicles that brought it traffic) right at the head. It wasn’t an accident. Twitter ended up breaking hooks and denying access by some applications that I was using until 2010, e.g. in IRC. What a colossal mistake. Twitter never quite recovered since then. Au contraire — the site has been declining little by little, especially in recent months. Rather than encourage developers to get involved, Twitter is doing it again — dampening third-party contributions — this time even more aggressively than before.

The news sites took little note of what Twitter had done. Twitter’s API idiocy not only broke crucial parts in 3 Web sites of mine but also in some clients’ sites. Thanks for the trouble, Twitter. You break things and leave us all to collect the pieces.

Twitter is making irrational decisions like killing off RSS, third-party developers, off-site links, etc. Are they on a suicide plan?

Twitter’s own widget, which is apparently what Twitter is trying to promote, is not even valid (X)HTML, so they’re encouraging people to put broken code inside their Web pages while blocking the competition.

Twitter’s future, I would guess, is similar to that of MySpace and Digg.com. The US Library of Congress is saving all the contents, so one day when Twitter.com goes offline we might still remember that old site which committed suicide, taking down with it all of our data, more or less like identi.ca.

WEEK ago I asked my bank for clarifications on privacy. The bank manager never called back at all (they had promised s/he would), essentially making promises in vain and evading the serious issue. I contacted NatWest again, expressing disappointment that they broke their promise. An advisor told me they would call back shortly, but I have been waiting for many hours in vain. Here is the chat log:

You are now connected with an adviser.

Guri: Hi, you’re chatting with Guri. How may I help you?

Dr. Roy Schestowitz: Hi Guri

Dr. Roy Schestowitz: Last week I spoke with a Rep. called Manny

Guri: Hi Dr. Schestowitz

Guri: How may I help you today?

Dr. Roy Schestowitz: He spoke to his boss and said they would call me back by Friday

Guri: okay

Dr. Roy Schestowitz: That was a week ago, on Monday

Dr. Roy Schestowitz: He said they would have phoned by the end of the week, but did not

Guri: I am very sorry to hear that…

Guri: may i know regarding what he has arranged the call for you ?

Dr. Roy Schestowitz: I left my telephone number with him, can you please check this?

Dr. Roy Schestowitz: The cal was regarding data privacy in my 5 accounts, I said I would like my data not to be shared across nations.

Guri: May I know the sort code, your full name and first line of address to check the details for you?

Dr. Roy Schestowitz: Sort code: XXXX , Dr. Roy Schestowitz, XXXX

Guri: Thank you. I will locate your details. There may be a slight delay while I check your information. I appreciate your patience.

Dr. Roy Schestowitz: No problem

Guri: Dr. Schestowitz, If you want I will set a new call back for you and you will get the call within 3-4 hours

Dr. Roy Schestowitz: Please.

Guri: May I know your Telephone number?

Dr. Roy Schestowitz: XXXX

Guri: Thank you

Dr. Roy Schestowitz: I look forward to the call in a few hours, thanks and good day

Guri: I have arranged the call back for you

Guri: You will get the call within 3-4 hours

Guri: Is there anything else I can help you with today?

Dr. Roy Schestowitz: That’s all, thanks

it’s not over yet. They failed to call back twice in a row now. I think it’s deliberate because of the nature of the query. They want secrecy around their abuse of customers’ data.

VERY NOW and then we’re reminded of the fact that politicians, government, police etc. are driven by corporate interests because money — to them — always comes before principles. Here is how they deal with competition.

Setting up the backup cron job, among other jobs. For the standard user/s this involves just nightly backups of all databases overnight, at around 8 PM East Coast time (the physical server is based in California). For root, the story is a little different. Monitoring is run with E-mail alerts (in addition to third-party services which poll over HTTP and dispatch warnings in Web/E-mail form). Someone wrote a script for automatically restarting Apache and sending some diagnostics around multiple maintainers if the service seems to be malfunctioning. I wonder, however, if we need this to run on the new server by default, considering the fact we might have uptime/continuity of service for months as we did years ago. This used to be run as a cron job, in a line which contains */5 * * * * /usr/local/sbin/web-watch. We will be saving it in the home directory before we decommission the old server and lose data. The scripts associated with the jobs have been copied and given the same permissions as before, so they should be usable. HTTPD restart script (in cron job with correct permissions in associated files) requires some cold testing, with additional cron jobs-related tests (requires lots of testing to prevent major catastrophe, e.g. .htaccess should not be (mis-)configured to permit access to privileged parts of the site (none except system files)).

Needing to compare DB sizes to assure all data was migrated successfully (about 1.8 GB of text in the databases). This is tricky for a tool like diff to address. Given that the import yielded no warings and the database dump sizes are roughly right (with the newer, active database being slightly larger), this seems to be passing the sanity check. Readers were encouraged to report problems with the site, as well.

Blocking wiki edits which are anonymous, i.e. from the new address of Varnish. There are Wiki spamming attempts ongoing, and as soon as new registrations and edits by them are allowed, the Wiki gets littered with spam. None of that has stopped.

Merging of domains is work in progress. In Google, site:http://boycottnovell.com might start showing duplicates (w.r.t. Techrights.org) because access to the former domain does not result in the URL being overwritten/rewritten as Techrights.org. To prevent the search engines’ indexes from filling up for two separate domains, the old behaviour is preferred and should be restored. In short: Needing to check that all domains, two .com domains and the default .org domain, are all merged properly to give one single URL for each page, with no plurality (canonical form). Testing a lot of pages on different kinds of sites/domains, redirections included, e.g. boycottnovell.com/SOME-POST-PATH, helps provide reassurance here (for link integrity, i.e. no 404s, not just SEO-driven).

Finding the master template for /etc/sudoers, wherever it resides. We need to add a line to sudoers to allow for faster restarting of the IRC bot/s.

The statistics package we use (needed for security with 4-week retention, but locally-accessible only, for privacy reasons), a simple program called Visitors, has been recompiled for the new server and data passed to /root where scripts reside whose function is retained, having replicated Apache configurations and other settings that relate to them. Some testing is still required for some bots’ function, e.g. access via HTTP to localhost. The Varnish proxy complicates debugging.

Checking of cache directories and plugins, ensuring that they work and aid performance. Pages should generally be loaded more quickly, owing in part to hardware improvements.

IRC logs and access to them should be verified (5 years’ worth), along with access to directories through contents listing (blocked by default in some Apache configurations). Seeing errors through logs can help diagnose such issues.

MIME types for filetypes such as Ogg should be checked, with different file extensions and in-page embedding being tested. A test of oggs seems mostly fine, at least for TechBytes episodes. On the old server (under /etc/mime.types), “video/ogg ogg ogv ogm” was used to capture variations of file extensions. The new server needed OGM added (cat /etc/mime.types | grep ogm showed it to be conspiciously missing).

Mailing technical details to another privileged user, perhaps getting another public key on the server.

Magpie RSS in the Wiki for fetching latest stories from WordPress. Currently, this does not work and it did prove problematic in the past, too.

There are 4 directories of Patent Troll Tracker posts which need to be made inaccessible (chmod 000 for instance) as the author asked them to be made invisible (he got sued over it) before we made the mirror. This is needed for offline preservation (information about notorious patent trolls).

Needing to recheck root directories for similarities, ensuring nothing valuable is left behind on the decommissioned server. This can be achieved most simply using a count of files in several locations, checking space used in areas of importance.

Directory listings, e.g. listing of court exhibits, should be enabled despite the default paranoid setting in Apache. Alternative domain names will inherit those same rules if properly set up.

Resorting a regular remote backup routine, e.g. through the gateway or from server directly to desktop (in the UK), in addition to backups near the rack.